package com.spring.arch.uaa.config;

import com.spring.arch.common.security.SecurityProperties;
import com.spring.arch.uaa.oauth2.dynamic.DynamicallyUrlProcessor;
import com.spring.arch.uaa.oauth2.handler.SecurityAuthenticationEntryPoint;
import com.spring.arch.common.security.SecurityProperties;
import com.spring.arch.uaa.oauth2.dynamic.DynamicallyUrlProcessor;
import com.spring.arch.uaa.oauth2.handler.SecurityAuthenticationEntryPoint;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.web.access.AccessDeniedHandler;

/**
 * 资源服务配置
 *
 * @author Frank
 */
@EnableConfigurationProperties(SecurityProperties.class)
@Configuration
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    private static final String SECURITY_IGNORE_URLS_SPILT_CHAR = ",";

    @Autowired
    private SecurityProperties securityProperties;
    @Autowired
    private TokenStore tokenStore;
    @Autowired
    private DefaultTokenServices tokenServices;
    @Autowired
    private AccessDeniedHandler accessDeniedHandler;
    @Autowired
    private DynamicallyUrlProcessor dynamicallyUrlProcessor;
    @Autowired
    private SecurityAuthenticationEntryPoint unauthenticatedHandler;


    @Override
    public void configure(ResourceServerSecurityConfigurer configurer) {
        configurer
                .resourceId(securityProperties.getAuth().getResourceId())
                .tokenServices(tokenServices)
                .tokenStore(tokenStore);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .cors().and()
                .csrf().disable()
                .exceptionHandling()
                .authenticationEntryPoint(this.unauthenticatedHandler)
                .accessDeniedHandler(this.accessDeniedHandler)
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        if (StringUtils.isNotBlank(securityProperties.getExcludeAuthUrl())) {
            final String[] excludeAuthUrl = StringUtils.split(securityProperties.getExcludeAuthUrl(), SECURITY_IGNORE_URLS_SPILT_CHAR);
            // 资源放行
            http.authorizeRequests().antMatchers(excludeAuthUrl).permitAll()
                    .antMatchers("/**").authenticated();
        }
//        http.authorizeRequests()
//                .anyRequest()
//                .authenticated()
//                // 设置动态权限控制
//                .withObjectPostProcessor(dynamicallyUrlProcessor.build());
        // disable cache
//        http.headers().cacheControl();
    }

}
